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Overview of this talk 


e Assumes “weird machine vocabulary” is known: 

IFSM - intended finite state machine, emulated on ... 

CPU - the real-world computing device with a significantly larger number of states, where ... 
... some transitions of the emulated IFSM are ruled out by security properties. 

Abstraction and concretization mappings between the IFSM and the real computing device. 
CPU state space divided into sane, transitory, and weird states. 
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* Provides some intuitions about: 
o How composition makes weird machines powerful. 
o How theorems from extremal graph theory may be helpful to reason about weird machine 
mitigations. 


start 


Read input password-secret pair (A) 


Ness 0 00 0 0 0 ಟೂ 0 oP oe 0 0 ಹೋ 0 oo 0 oo 


read(p) 
read(s) 


IF condition b: 
Store pair in memory (B) : V(p', s') € Memory: p' #p : 
Memory + Memory U {(p, s)} : |Memory| < 4999 | 


Output the Wu secret (C) 


print(s’) 


IF condition d: 
s=0 
Vp =0 

= 5000 


Output error message (D) 
print(0) 


start 
ರಾಮಾ CT 


Read input password-secret pair (A) 
re dtd p) 


(cadis) 


CUT. Fo + 
i PNE yA 
printis | 


IF condition d: 


= T) 


Output error message (D) : 
printtü) | : Vp =U 
DOM [Memory] = 5000 


IFSM 


CPU 


ಶಿ9999999999999ಿ99999 
e e 06 6 OG O O O O O O O 6 0 0 6 6 6 6 
e e 6 O 6 O O O O O O6 O6 6 6 6 6 60 6 6 
eeoecco0060600006000000060 
eeocoocccc0c06060600000000090 
eeoecco0—-ÀoooococócÉcceeP2ePc2069e€ 
eeoc^ooeoeÉÀ6£62É£606500000000 
@ 9999999099090 ono sons 
e e 6 0 O O O O O O O O O6 O0 6 eed 0 6 
eeecccÉc0e6060600600000000 
eeoecc0060600600000000090 
eeeoccc06£606006006000000200 
@@ee@ee ee @eeee ee @ OG OO ®@ 


IFSM 


CPU 


eeoec00600000000000200 
೨96965996995959659996999696999 


Every assembly instruction 
creates an 
Edge. 


Big graph: 


n = 24(24RAMSIZE) nodes, 
with each assembly 
instruction inducing 
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IFSM Colorful circles: Sane states CPU 


0999999090990 099999090es 
oOo0eeoooeooooeeoooooQo 
೨೨೨9ಟ೦ಟಟಿಲಟಿ9996 0099 0 090 (0) 
OOoO0oo0oooeeeoooooooeeo 
eecocc0c0e6006000000000090 
e e 6 0 6 O O O O O O O 6 O0 6 6 6 6 6 
eeoecoeccc£060606000000000090 
OOoOoeeoooooeeeoooooo 
e e 6 O O O O O O O O O O O 0 6 6 6 6 
eeoec-c0060(0000000000 
OOOoOoeoooooooooeeeoo 
೨995965995999996965996969999 
eeoecc0c0606000000000200 


IFSM Single-step IFSM transition emulated via multiple CPU instructions. 
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Black circles: Transitory states between A and E 
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Different sane states may follow different paths. 
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Think of the state-space of the CPU as a directed graph. 


Each state is a node. 


For every combination of state and CPU instruction, there is an edge 


leading to the next state. 


Some nodes (for example "segfault") will be targets of many source 
nodes. 
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Let's examine just one path 


IFSM 


Let's examine just one path 


eeoeoe06060600000000020909 
Ooooeeeeooooeeooooo 


೨ಟ೦ಿಅ99961 0999009900೪ JORO 
OO eoeeeoooooooeeo 


e A AAA O O O O O O O 6 O O6 6 0 006 


What happens when we enter a weird state? 
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IFSM 


Let's examine just one path 
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IFSM Let's examine just one path 
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State gets corrupted to enter "weird state" (non-sane, non-transitory) 


The instruction sequence to perform state transition is applied to a 
weird state. 


Each instruction will jump to a “random” (not random, just unknown) 


new state. 


IFSM Let's examine just one path 
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State gets corrupted to enter "weird state" (non-sane, non-transitory) 


The instruction sequence to perform state transition is applied to a 
weird state. 


Each instruction will jump to a “random” (not random, just unknown) 


new state. 


IFSM Let's examine just one path 
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State gets corrupted to enter "weird state" (non-sane, non-transitory) 


The instruction sequence to perform state transition is applied to a 
weird state. 


Each instruction will jump to a “random” (not random, just unknown) 


new state. 


IFSM Let's examine just one path 
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State gets corrupted to enter "weird state" (non-sane, non-transitory) 


The instruction sequence to perform state transition is applied to a 
weird state. 


Each instruction will jump to a “random” (not random, just unknown) 


new state. 


The emulated IFSM transition created a “random-ish” edge in the 
state graph. 


“Random” graph? 


e Every state transition out of a state in the IFSM creates an "edge" in the CPU 
state graph from every weird state to the next state. 


e For all practical purposes, we can regard this edge as “random” (not really 
random, but given that we know nothing about the IFSM emulator, our 


uncertainty is best approximated by thinking of the edge as “random”) 


e We geta strange form of extremal graph theory. 


Erdos-Renyi model and “Giant Components” 


The ER model of random graphs: Every possible edge on n nodes is present 


with probability p. If p > IFE then with high probability a giant component 
emerges. ^ 


If such a graph has O(n log n) edges it has a single giant connected 
component with high probability. 


If the probability for edges is below 1/n, the graph will remain fragmented 
into small islands that are not connected to each other. 


20 


Erdos-Renyi model and “Giant Components” 


e (This is the undirected case, and clearly not the case we are dealing with, but 
the asymptotics do not change too drastically for the directed case) 


e Provides a hint for the power of weird machines to break security barriers. 
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Erdos-Renyi model and “Giant Components” 


e Intuitively: 


If the edges induced by your state transitions create a single giant 
strongly connected component, then almost every possible state is 
reachable from almost every weird state. 


e A stronger statement for security implications than "Turing-completeness": 


State reachability in violation of security properties is the attacker goal. 


e nlogn edges is not that many -- it's just a little more than one edge per 
node... 
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Why can the weird machine reach so many states? 


If each IFSM transition out of a state creates a new edge from every 
CPU-state to a new CPU-state, we get k X n edges (where k is the number 
of IFSM state transitions). 


Even if just slightly fewer than (k- 1) of induced edges per node segfault, we 
are adding slightly more than one random edge to each state. 


If significantly fewer of the induced edges fault, it seems very plausible that 
a giant strongly connected component emerges. 
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Why can the weird machine reach so many states? 


e Adding edges to random graphs quickly creates large connected 
components. 


e Each IFSM transition begets k x n new edges in the CPU state-graph. 


e Complexity of IFSM makes the CPU state-graph with weird-machine edges 
"more connected”. 


e Explains why complexity of IFSM empirically helps the attacker. 


e Explains “compositional power" of weird machine transitions. 
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Practical implications 
e This graph-centric view provides a way to think about countermeasures. 


e Randomising mitigations (ASLR etc.) reduce the number of edges 
significantly, as many are bent to “segfault”. 


e Notnearly enough: We saw that we need get close to bending (k- 1) edges 
to segfault if the IFSM has k branches at a given state. 


e Do we have other mechanisms that have a better shot at success? 
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Practical implications 


e Let's look at “Memory tagging”. 


e Memory tagging assigns N-bit tags to physical memory and stores them also 
in unused pointer bits. 


e Memory can only be accessed through pointers with the right tags. 


e ls there a strong reason to believe this makes a difference? 
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Memory tagging communicates invariants about the IFSM emulator to 
the hardware (“memory will only be accessed through pointers derived 
from the initial allocation”) 


The vast majority of “weird transitions” arising from applying an 
emulated IFSM transition to a weird state that currently will not fault 
will not work with MT enabled. 
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Result: “Bending” many edges toward a faulting state. 
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Result: "Bending" many edges toward a faulting state. 


Questions arising from this: 


There is obvious work to be done on extremal graph theory (or simulations) 
for graphs with the following properties: 


o Directed 


o Nodes split into (a possibly Large) number of equivalence classes with per-class specific 
distribution of outgoing edges 


What properties need to hold for these distributions to make the graph fall 
into many tiny pieces? 


Can the expected size of a connected component be upper-bounded? How 
tightly? Upper bounds would imply "fewer states reachable for weird 
machines”. 
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Questions arising from this: 


e Can we quantify what percentage of "currently valid" weird-machine-edges 
would be eliminated ("bent to fault") by a countermeasure? 


e At what threshold do we expect the fragments to be too small to be useful? 
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Questions arising from this: 


e Given that almost all of the questions have no hope of an analytic solution, 
can we estimate the effects of mitigations? 


e Example setup: Network daemon with a known protocol and flaw that 


induces a weird state. 

o Can we divide possible inputs into equivalence classes and then test exhaustively how many 
non-faulting options there are? This looks vaguely like a chess engine? (brute force tree 
search, but eliminating isomorphic positions?) 

o Given a simulated mitigation, can we estimate what fraction of edges are eliminated? 
Assume ~30 (synthetic?) bugs to induce weird states, and k input equivalence classes for the 
attacker, is there a way to estimate what percentage of edges are "bent to fault"? 
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Questions? Suggestions? Ideas? 


